How are you addressing ransomware at your organization?

There are 3 things that I had done in my previous organization.
1, invest and automate the basic security programs of patching, setting recovery priorities and acceptable limits, backing up, testing recoveries, and incident response
2. invest and establish visibility of security posture of the enterprise by using micro segmentation, going inside out and by integrating security incidents and event assessments into incident response playbooks and runbooks
3. invest, train and exercise the ability top leadership on how to handle a ransomware induced business crisis by preparing payment systems, using insurance, forensic analysts and negotiators when needed to ensure business continuity

As long as money is to be made from ransomware attacks, all you can do is reduce your risk and liability by purchasing the right security tools, conducting vulnerability management, implementing a zero trust architecture, and educating your employee's. There is no silver bullet for ransomware but you can do your best to reduce your attack surface.

Backup everything, test backup every night, replicate to DR site, test DR site periodically, NGFW, SIEM, each department on a separate vlan with firewall in-between, AV+EDR, security awareness training for employees, regular external and internal pen tests. So far so good :)

Nutanix Mine/Xi Leap and Veeam for immutable server backups. Code 42 for immutable endpoint backups.

When we were more on-premise, there was a configuration management database (CMDB) that was like a one-stop shop for inventory management. But now that we have cloud, the lifespan of what you would define as an asset is very small. Event management tools like security information management (SIM) will throw out alerts and then you need to consolidate that event into an incident. That incident could be ransomware, a data breach or an impersonation.

While there’s no one-size-fits-all approach to this, but I would like to think you could have 1 incident management policy with individual incident management procedures. Depending on the type of incident, your CART team is going to change. If it is a data breach, there's more involvement with legal, marketing and communications teams. If it is ransomware, it's heavier on your IT and tech operations teams—of course there is still an element involving legal and cyber insurance, etc. Now that US laws have been able to stricten around that, there’s also a law enforcement component to it. You would have multiple specific incident response procedures governed by the same policy and the same training that you launch across the organization.